[PDB-521] Use /dev/urandom instead of /dev/random Created: 2014/03/24  Updated: 2016/01/20  Resolved: 2014/04/14

Status: Closed
Project: PuppetDB
Component/s: None
Affects Version/s: None
Fix Version/s: PDB 2.0.0

Type: Improvement Priority: Normal
Reporter: Daniele Sluijters Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: trivial
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Story Points: 2
Sprint: 20140409 to 20140423


We should switch PuppetDB to use /dev/urandom instead of /dev/random This will improve startup times and will help a lot of people running PuppetDB on virtual hardware as it will no longer block while waiting on enough entropy.

People are usually scared of /dev/urandom but there's no need for that in this case. urandom is perfectly well suited for most cryptographic operations safe for generating long-lived SSL/GPG/SSH keys:

If you are unsure about whether you should use /dev/random or /dev/urandom, then probably
you want to use the latter. As a general rule, /dev/urandom should be used for everything except
long-lived GPG/SSL/SSH keys.

OpenSSL also defaults to using /dev/urandom.

Comment by Daniele Sluijters [ 2014/03/24 ]

I'll raise a PR shortly for the init-scripts.

Comment by Ken Barber [ 2014/04/14 ]

PR raised by Daniele Sluijters here: https://github.com/puppetlabs/puppetdb/pull/917

Generated at Sun Jan 26 22:48:49 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.